up:: The Threat MOC
Bitcoin and Blockchain Quantum Risk
The quantum risk to Bitcoin and similar chains is specific rather than a flat doomsday. A cryptographically relevant quantum computer running Shor’s algorithm breaks the ECDSA signatures on the secp256k1 curve that authorize spends, so it can recover a private key from a public key and move coins whose public key is exposed on the blockchain. The SHA-256 hashing that secures mining faces only Grover’s algorithm, which gives a square-root speedup that specialized ASIC miners outpace, so the chain’s proof-of-work is comparatively resilient. That split, signatures vulnerable and mining resilient, is the whole shape of blockchain quantum risk, and no machine capable of executing the signature attack exists in 2026.
The short version:
- The break is on signatures, not on mining. Shor’s algorithm recovers a private key from a public key, so it forges the ECDSA spend authorization; Grover’s algorithm only dents SHA-256 mining and ASICs outrun it.
- Exposure depends on whether your public key is visible on-chain. Older pay-to-public-key outputs and reused addresses publish the key; unused pay-to-public-key-hash addresses publish only a hash, which gives Shor’s nothing to attack.
- A peer-reviewed Deloitte analysis estimates roughly 4 million BTC, about 25% of supply, sit in addresses with exposed public keys, split between early P2PK coins and reused P2PKH addresses.
- There is a long-exposure risk (coins already sitting behind a visible key) and a narrower short-exposure risk (the window between broadcasting a transaction and its confirmation).
- The fix is a post-quantum signature soft-fork, adopting a NIST signature like ML-DSA before a CRQC arrives. The exposure is real, bounded, and fixable.
What does a quantum computer actually threaten in Bitcoin?
It threatens the signatures, which is the part that proves you are authorized to spend. Bitcoin authorizes every spend with ECDSA over the secp256k1 curve: the private key is the wallet, and a valid signature is the spend authorization. ECDSA’s security rests on the elliptic-curve discrete logarithm problem, which is exactly the math Shor’s algorithm solves efficiently. A CRQC running Shor’s takes a public key and recovers the matching private key in polynomial time, after which it can sign a transaction that moves the coins to itself, indistinguishable from a legitimate spend.
What a quantum computer does not meaningfully threaten is the mining that orders and secures the chain. Bitcoin’s proof-of-work is a SHA-256 search, and the only quantum attack on it is Grover’s algorithm, which finds a target in about the square root of the search space instead of the full space. That square-root speedup is far weaker than what Shor’s does to signatures, and it barely parallelizes, so purpose-built ASIC miners running at enormous clock rates outpace a near-term quantum machine. Aggarwal and co-authors put it directly: Bitcoin’s proof-of-work “is relatively resistant to substantial speedup by quantum computers in the next 10 years, mainly because specialized ASIC miners are extremely fast compared to the estimated clock speed of near-term quantum computers.” So the threat model is signatures broken, mining resilient.
Sources:
Standards for Efficient Cryptography Group, “SEC 2: Recommended Elliptic Curve Domain Parameters,” which defines secp256k1, SEC 2 v2.
Divesh Aggarwal, Gavin K. Brennen, Troy Lee, Miklos Santha, Marco Tomamichel, “Quantum attacks on Bitcoin, and how to protect against them,” 2018, arXiv:1710.10377.
Which coins are exposed, and which are protected by a hash?
The answer turns entirely on whether the public key is visible on the blockchain, because Shor’s algorithm needs the public key to derive the private one. Bitcoin’s address types differ precisely on this point:
- Pay-to-public-key (P2PK), exposed. The earliest outputs, including much of what the first miners hold, store the full public key on-chain permanently. The key has been visible for over a decade, so these coins carry the maximum long-exposure risk.
- Pay-to-public-key-hash (P2PKH), protected while unused. A modern address publishes only a hash of the public key. A hash gives Shor’s algorithm nothing to attack, so as long as the address has never spent, the public key stays hidden and the coins are shielded.
- Reused P2PKH, exposed. The protection ends the moment you spend, because spending reveals the public key in the transaction. Any address that received funds again after a spend is sitting behind an already-revealed key, so reused addresses are exposed even though they look modern.
The security property doing the work here is that SHA-256 is a one-way hash, and quantum computing does not reverse it: Grover’s algorithm leaves SHA-256 with roughly 128 bits of preimage strength, far out of reach. So a never-spent P2PKH address is protected by its hash, and the exposure concentrates in P2PK outputs and reused addresses whose keys are already public. The standing best practice that follows is to use a fresh address for every receipt and never reuse one after spending.
Source: Itan Barmes and Bram Bosch, “Quantum computers and the Bitcoin blockchain,” Deloitte, deloitte.com.
How much Bitcoin is actually at risk?
A widely cited Deloitte analysis put concrete numbers on the exposed supply. It found roughly 4 million BTC, about 25% of all Bitcoin, in addresses with exposed public keys, which are the coins a capable quantum attacker could in principle take. The breakdown is the useful part:
| Exposure type | Approximate BTC | Trend | Why exposed |
|---|---|---|---|
| Early pay-to-public-key (P2PK) | ~2 million | Roughly constant since the early days | Full public key stored on-chain permanently |
| Reused P2PKH addresses | ~2.5 million | Decreasing slowly from a 2014 peak | Public key revealed once the address first spent |
The two figures overlap and round to about 4 million BTC of genuinely exposed coins. The number is a point-in-time research estimate that moves as coins are spent, addresses are reused, and hygiene improves, so treat it as an order-of-magnitude picture rather than a fixed constant. The load-bearing takeaway holds regardless of the exact count: a large but bounded fraction of the supply is exposed, concentrated in the oldest coins and in poor address hygiene, while the majority protected by unused P2PKH hashes is not directly reachable by Shor’s algorithm.
Source: Itan Barmes and Bram Bosch, “Quantum computers and the Bitcoin blockchain,” Deloitte, deloitte.com. [OPERATOR VERIFY: these are Deloitte's point-in-time estimates; re-confirm the current figures and methodology date before citing them as current.]
What are the long-exposure and short-exposure attack windows?
There are two distinct attack timings, and they carry very different risk. Sorting them out is what separates a sober read from a panic.
The long-exposure attack targets coins whose public key is already visible and static: the P2PK outputs and reused addresses above. Here the attacker has effectively unlimited time, because the key has been on-chain for years and is not going anywhere. A CRQC can derive the private key at leisure and move the funds. This is the larger and more durable exposure, and it is why the ~4 million exposed BTC matter.
The short-exposure attack targets a well-managed, never-reused address during the brief window when it spends. When you broadcast a transaction, your public key enters the mempool before the network confirms the block, so for those minutes the key is visible. An attacker with a fast enough CRQC could in principle derive the private key and race a competing transaction, redirecting the funds before confirmation.
The practical difficulty is a timing race: Bitcoin takes about 10 minutes to mine a block, and breaking a single signature would have to fit inside that window. Aggarwal and co-authors note ECDSA signatures “could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates,” and the Deloitte discussion frames the race against the roughly 10-minute confirmation time. Both windows require a machine that does not yet exist, but they call for different defenses: the long window needs coins moved to quantum-safe addresses ahead of time, and the short window needs a protocol-level signature upgrade.
Sources: Divesh Aggarwal, Gavin K. Brennen, Troy Lee, Miklos Santha, Marco Tomamichel, “Quantum attacks on Bitcoin, and how to protect against them,” 2018, arXiv:1710.10377. Itan Barmes and Bram Bosch, “Quantum computers and the Bitcoin blockchain,” Deloitte, deloitte.com.
Is Bitcoin mining threatened by quantum computing?
No, not in the near term, and this is the part the headlines usually get backward. Mining rests on SHA-256, and the only quantum attack on a hash function is Grover’s algorithm, which offers a square-root speedup rather than the exponential break Shor’s gives signatures. Three facts stack up in mining’s favor:
- The speedup is only quadratic. Grover’s turns a search of
Ninto about√N, which weakens a hash target rather than breaking it, unlike Shor’s collapse of the discrete-logarithm math under ECDSA. - ASICs are far faster than near-term quantum clocks. Purpose-built SHA-256 miners run at rates that dwarf the estimated clock speed of early quantum machines, so Grover’s edge does not translate into a practical mining advantage. That is the Aggarwal result: proof-of-work is resilient for roughly the next decade.
- Grover’s barely parallelizes. Its speedup is fundamentally serial, so throwing many quantum machines at the problem buys far less than throwing many classical machines at classical brute force. Mining, which parallelizes cleanly across hardware, keeps its structural advantage.
So the honest headline is that quantum computing threatens who can spend coins, through signatures, and not who can mine them, through proof-of-work. This mirrors the general rule of the quantum threat: Shor’s shatters the public-key layer while Grover’s merely dents the symmetric-and-hash layer.
Source: Divesh Aggarwal, Gavin K. Brennen, Troy Lee, Miklos Santha, Marco Tomamichel, “Quantum attacks on Bitcoin, and how to protect against them,” 2018, arXiv:1710.10377.
How would Bitcoin defend against a quantum computer?
The defense is a migration to post-quantum signatures, and because a CRQC does not exist yet, the network has runway to make it. The building blocks already exist as finalized NIST standards: ML-DSA as the general-purpose lattice signature and SLH-DSA as the conservative hash-based alternative, both resting on problems with no known efficient quantum attack. The plausible paths:
- A post-quantum signature soft-fork. The protocol adds a new quantum-safe address type backed by a NIST signature, letting holders move coins into outputs a CRQC cannot forge. This is the durable fix for the long-exposure risk, and it is the reason Bitcoin’s exposure is fixable rather than fatal.
- Proactive coin migration. Even before a soft-fork, moving funds out of exposed P2PK and reused addresses into fresh, never-spent addresses shrinks the exposed supply, since an unused P2PKH address hides its public key behind a hash.
- Address hygiene as standing practice. Using a new address per receipt and never reusing one after a spend keeps the public key hidden for as long as possible, which is a defense holders can apply today with no protocol change.
The constraints are real. A signature change is a large coordination effort across wallets, exchanges, miners, and users, post-quantum signatures are far larger than ECDSA (which affects transaction size and fees), and coins in lost wallets can never be migrated by their owners, so some exposed supply will remain a standing question for the community. None of that makes the risk an on-off switch. It makes it an engineering and governance project on a timeline the CRQC has not yet forced.
Source: NIST, Post-Quantum Cryptography FIPS approvals, August 2024 (FIPS 203, 204, 205 finalized).
Common misconceptions
- “A quantum computer would break Bitcoin overnight.” It would threaten spending coins whose public key is exposed, one signature at a time, and it needs a machine that does not exist in 2026. The chain’s mining and its hash-protected addresses are not directly reachable.
- “Quantum breaks Bitcoin by out-mining the network.” Mining rests on SHA-256, which faces only Grover’s quadratic speedup, and ASIC miners outrun near-term quantum machines. The break is on ECDSA signatures, not proof-of-work.
- “All my coins are exposed the moment a CRQC exists.” Coins in never-spent P2PKH addresses publish only a hash of the public key, which Shor’s algorithm cannot use. Exposure concentrates in P2PK outputs and reused addresses.
- “There is nothing anyone can do.” The network can adopt a post-quantum signature soft-fork, and holders can move coins to fresh addresses and stop reusing them. The exposure is bounded and fixable ahead of the machine.
- “This is unique to Bitcoin.” Any chain that authorizes transactions with ECDSA or another elliptic-curve signature (Ethereum and many others) carries the same signature exposure, because the vulnerable primitive is the elliptic-curve math, not Bitcoin specifically.
Questions people ask
Will a quantum computer break Bitcoin? It will threaten the ECDSA signatures that authorize spends, letting an attacker recover a private key from an exposed public key and move those coins. It does not break the SHA-256 mining that secures the chain, and no machine capable of the signature attack exists yet, so the exposure is real but bounded and fixable.
How much Bitcoin is at risk? A Deloitte analysis estimated roughly 4 million BTC, about 25% of supply, in addresses with exposed public keys, split between about 2 million in early P2PK coins and about 2.5 million in reused P2PKH addresses. It is a point-in-time estimate that changes with usage.
Are my coins safe if I never reuse addresses? A never-spent pay-to-public-key-hash address publishes only a hash of your public key, which Shor’s algorithm cannot attack, so it is protected while unused. The exposure appears when you spend and reveal the key, which is why reuse is the hazard.
Does quantum computing threaten Bitcoin mining? Not seriously in the near term. Mining rests on SHA-256, and Grover’s algorithm gives only a square-root speedup that ASIC miners outpace, so proof-of-work is resilient for roughly the next decade while signatures are the real exposure.
What is the short-exposure attack window? When you broadcast a transaction, your public key sits in the mempool before confirmation, so for those minutes it is visible. A fast enough CRQC could derive the key and race a competing transaction, but it would have to break the signature inside Bitcoin’s roughly 10-minute block time.
How would Bitcoin fix this? Through a post-quantum signature soft-fork that adds a quantum-safe address type backed by a NIST signature like ML-DSA or SLH-DSA, plus moving coins out of exposed addresses. The main work is coordination across the ecosystem, and there is runway because a CRQC has not arrived.
Is this the same as harvest-now-decrypt-later? It is related but distinct. HNDL is about recording encrypted traffic to decrypt later, a confidentiality problem. Bitcoin’s exposure is a signature-forgery problem: an exposed public key sits on a permanent public ledger, so the attacker does not need to record anything, the key is already there waiting for a capable machine.
Everything here is the map, given freely. When your team needs blockchain or signature exposure sorted into what a quantum computer can actually reach and what to move first, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.